what “really” matters in yber?
TRANSCRIPT
-
Mike [email protected]/MSEE, CISSP & CISO SysEngr
ISSA / ISC2 / SOeC AFCEA / NDIA IEEE / INCOSE / et al
What REALLY matters in Cyber?RE: Internet of things, privacy security and beyond
Circa 2015
Not sure HOW it can affect you (as it HAS already)?
AND what is a thing is that MORE we have to do???
COMPLEXITY
easy button
Bottom line - As in ALL things it is mostly about the value proposition!
ISC2 with
IEEE Cyber
-
Whats Wrong With This Security?The issues / gaps therein are where the cyber opportunities are!!!
The gates were fully locked, properly configured and validated.
I could not get through them. But.... Thus Cyber can be an illusion
When a capability is invisible, like IA, safety, reliability, etc, what you see is not the whole picture!
-
Cutting through the CyberSecurity Fog!B.L.U.F. Bottom Line Up Front
The threats are very real, and the news shows a small percentage
It does not just happen to the other guy YOU WILL be / ARE affected.
Focus on business risk reduction and minimizing legal liabilities
Adequate cyber protections are but one part so is cyber insurance.
You can not buy cyber security, you must manage cyber many parts.The standard IA/Security suite is pretty good IF maintained well in operation.
The P6 principles still apply (being prepared) with strategic partnerships.
Few can afford to go it alone TEAM up & use a managed security service.
Dont fix cracks in the cyber walls, while the barn door is open!
Keeping your cyber suite well maintained cuts incidents by 95%
-
OK, so what does matter in Cyber?
Its NOT about expensive new cyber capabilities / toysbut more about the interoperability glue (distributed trust, resiliency, automation, profiles)
You can NOT buy cyber, so do the cyber BASICS well!!!An achievable 90-95% reduction in security incidents stabilize the environment!
CYBER is fundamentally all about TRUST and DATA( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured)
90+% of security incidents are from lack of doing the basics! USE effective Security Continuous Monitoring (SCM / SIEM) a MUST DO!
With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs)
Shift from only protecting the network, to the DATA security itself information centric view
Embrace your Risk Management Plan (RMP) LIVE IT!Have an enforceable security policy what is allowed / not train to it
KNOW your baseline - Protect the business from the unknown risks as well
Employ a due diligence level of security then transfer residual risks!
-
So then, what MUST we DO?(MY TOP TEN - Well, to at least the first / second order effect 95% level!)
1 - KNOW your baseline from several views / aspects:
You can NOT buy cyber, so DO the cyber BASICS well!An achievable 90-95% reduction in security incidents stabilize the environment!
Follow the SANS top 20 and NSA top 10 mitigationsAND map your security mitigations into the NIST SMB Security guide (TR 7621)
- keep track of your HW / SW assets and their versions / status, as you can't manage what you
don't know. Document what your secure baseline is then monitor it.
- maintain the cyber suite (hygiene, settings, patches, etc automate where possible) and
enforce strict access control (implement least privilege, use two factor authentication on key
data / equipment (especially on sensitive data / critical cyber capabilities), two-person control on
key assets, limit PC to PC / peer to peer comms, minimize privileged accounts, etc)
- make it hard for hackers to get in and get around this is JOB ONE: effective firewall rules
(deny all with exception monitor traffic going in and out), segment the networks, tighten / lock
down the bowser (where around 80% of all malware comes in and using SSL it bypasses your
cyber suite too), and dont allow users / non-admin to install anything on any end user device!
2 - Encrypt, encrypt, encrypt (and have a really good key management program too, as that's the real key).
-
So then, what MUST we DO?
4 - Effective SCM / SIEM / monitoring capability
- Watch for unusual behavior and keep track of key cyber settings, DNS, etc.
- And user actions too (humans when monitored always behave better).
You can NOT buy cyber, so DO the cyber BASICS well!An achievable 90-95% reduction in security incidents stabilize the environment!
3 - Use approved IA / cyber products
- Only buy off the NIAP/NSA/DISA lists of Approved / Preferred items (APLs). - Minimizes your product complexity ...and... they come with C&A / A&A / V&V
security pedigrees too!
5 - IDS/IPS (signatures) AND anomaly detection capability - Watch for insider threats while monitoring both incoming AND outgoing traffic.
- Whitelisting works and is not hard to do put developers in an isolated sand box
6 - DLP /DRM /data tracking capability- Follow the data, complement SCM support a continuous audit (risk) approach
-
So then, what MUST we DO?
7 - User awareness and education / training- Make it personal, targeted (JIT) info to user types, even fun / make a game of it
You can NOT buy cyber, so DO the cyber BASICS well!An achievable 90-95% reduction in security incidents stabilize the environment!
All these capabilities exist, are sold by many vendors, and not hard to buy, use, and monitor
To build your own effective defense-in-depth / breadth cyber ecosphere see our plan too!
http://www.sciap.org/blog1/wp-content/uploads/executing-an-effective-security-plan.pdf
8 Add in a little "OSI" too (open systems intelligence)- Know who might be targeting you and the methods they would use against you
- Join your sector ISACs, etc to be aware of the threats.. common mitigations
9 Risk Management Plan is essential- RMP must integrate and support the business success factors / line managers!
- RM has many moving parts to account for so write them down (see following slide)
10 Get Cyber Insurance- Part of risk management transfer risks but know what IS (and is not) included
http://www.sciap.org/blog1/wp-content/uploads/executing-an-effective-security-plan.pdf
-
Security Main FactorsGiven ALL the NIST / NSA / DISA guidance (see back-ups) - What MUST WE DO?
Implement the NIST absolutely necessary elements first and foremost to protect your data (Encryption and back ups)
Effective passwords still the bane of basic security and policy is still poor!
(tokens / two-factor authentication should be used for critical data / processes)
Securing the client, fortifying the browser buying trusted business apps, services where the browser / client is THE largest malware entry point!
Minimal security suite: antivirus, firewall, IDS, VPN, ISP / wireless security
Monitoring tools need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / IRP / BCP / COOPs, etc
Enforce a living security policy quantify actual risks, strict need to know,
DATA protection - encryption, keys, and access control - minimize IP loss, DLP
A robust and adaptive security strategy = risk management plan (RMP) to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc
8
Our Cyber Security operator course collates all these guides and maps
-
The Integrated Business RM Approach + Making the Risk Management Plan (RMP) work! +
RMP
Company Vision(business success factors)
C&A / V&V(effective / automated)
Security Policy(mobile, social media, etc)
Education / Training(targeted, JIT, needs based)
Known Baseline(security architecture)
CMMI / Sustainment(SoPs / processes)
MSS / CISO(3rd party IV&V support)
Data Centric Security(DLP, reputation based methods)
Insider Threat
Company Intel(open source, FB, etc)
SCM / SIEM(monitor / track / mitigate)
Cyber insurance(broker & legal council)
Privacy by Design(manage PII, HIPAA, compliance) )
Common Business RMP model (re: RMF / COBIT & Risk IT)
AND using the NIST Cybersecurity Framework (re: CAR / ESA)
-
Complexity of Enterprise IT Systems is IncreasingAND so is the associated Cyber Security from sensor to cloud!
Follow the DATA where is it who has it how sure are you?
So - what is good
enough security?
-
Whats new in cyber, and what matters?
RFID, Apps, MEMS, WSN, sensors,
SCADA, PLC, ASIC, API, ETC, etc
Sensor + WiFi = device --- Things -> systems, machines, equipment, and devices all connected to each other
Is all this stuff secure?
How much is needed?
The Internet of things (IoT) is not really new
IoT requires ALL the cyber protections we already know - and still need to implement!
COMPLEXITY is everywhere!
Where sensors dominate Where / How does
privacy fit in IoT?
-
Gartner's 2013 Hype Cycle for Emerging Technologies
Everything connected to everything
? Comms Secure ?
Automation = machines in control
? M2M Secure ?
Pervasive new technologies
? Built secure ?
ALL the technologies need built in security = secure data, comms & privacy!
How do we prove end-2-end security?
What is an adequate / due
diligence level of security???
CYBER is all about SECURE: technologies, DATA and communications!
-
13
Cyberspace Characteristics
All of the warfighting - and related
business - domains intersect
Cyberspace Domain is contained
within and transcends the others
In relation to other mission areas run by
different Communities Of Interest (COI)
cyberspace is a blend of exclusive and inclusive ties
Frequently the COI boundaries / MOAs are implicit
These Venn connections / COIs are pervasive
Numerous, dynamic COIs dominate relationships - adding Complexity & Comms,
& Control overhead - causing cross domain / COI DATA sharing effects
IASecurity
C2
CIP / infrastructureBanking / retail
Manufacturing Communications
Do NOT underestimate this aspect affects CONTROLS needed for Privacy!
-
What are KEY cyber elements?(and what can we reasonably expect to influence / affect?)
14
Fundamental issues. (givens?)- Threats are illusive/morph so plan/mitigate around consequences (aka, a fault tree)- KISS, as complexity is our enemy do the basics well (hygiene, anonymity, etc) - In a connected world, its the shared vulnerabilities that will get you / ALL of us- They have an asymmetrical advantage, plan with it (and they dont follow the rules/laws) - WE ALL need common homogenous security protection in a heterogeneous world
Essential gaps / needs (tenets?)- Invest in the OSD / NSA R&D / S&T gap capabilities, as authoritative sources- Apply trade-offs / assessments using a common end-state (an open / ubiquitous world)- Using an enterprise risk management plan (RMP), and FOCUS on proactive SCM!- If you cant integrate it into your IT/network environment, then it is useless- Minimize what you dont know you dont know & get cyber insurance
If you dont know where youre headed, any blind alley will doWhere the bad actors continue to count on US ALL not being in sync
-
Cyber requires enterprise integrationThings are only the stuff we need to accommodate all IT/IA aspects!
Systems / capabilities are characterized by their boundaries
Where interfaces / controlling parameters / PPSM are key
IoE = IoT + people, process, policy and DATA
-
Things must communicateNo. of paths = n(n-1) = exponential Are ALL using secure channels ?Data protected? Adequate Authentication? No covert paths established?
10S of thousands of trillions
Of communication paths!
Securing low BW channels requires optimal cryptography algorithms
and adequate key management systems,
and security protocols that connect all these devices
-
Mobile devices and wireless always predicted, yet proliferates in 2014 Increasing Android Trojans, digital wallets, USER provided network services / access points!
Wireless security issues expand (besides 802.11 & WiMAX, to Zigbee, Z-Wave, ARM, etc.)
BYOD many hidden costs, legalities and risks than it appears at first
Cyber crime: easy money, minimal downside and growing (ransomware, etc) Illicit cyber revenues has essentially equaled all illegal drug trafficking dollars
The insider threat is much more impactful than given credit for Considering compromised services and computing devices of all kinds (aka, supply chain security).
With Improved social engineering attacks and stealth exfiltration techniques etc
17
Threat Vectors of Interest (examples)
Mobile devices and cloud infrastructure hacking are two of the
biggest attack vectors in crime / terrorism in 2014 and beyond
Verizon Data Breach Report (2012) MOST breaches avoidable! 96% attacks not difficult; - 85% took weeks to discover (average is 416 days); - 92% discovered by a third
party; 85 - 97% data breaches / security incidents avoidable through simple or intermediate controls
Forbes - The Biggest Cybersecurity Threats of 2013+ Social Engineering; APTs; Internal Threats; BYOD; HTML5; Botnets; & Targeted Malware
- AND Cloud security - pretty good, SLAs not enough, but ISPs / data centers better than most
-
Threat Vectors of Interest (Cont.) SSL/XML/web (HTML5)/browser vulnerabilities will proliferate
Browsers remain a major threat vector (80% - bypasses the IA suite) & watering holes
JAVA / VM / active code MUST be strictly managed / controlled / under CM
Convergence of data security and privacy regulation worldwide.. Compliance gets pervasive (PCI DSS, HIPAA, etc) ... Shift focus to privacy by design!
Data security goes to the cloud - where security due diligence is more than SLAs!
IPv6 transition will provide threat opportunities Data Loss Prevention (DLP) is still needed
Containment is the new prevention (folks now get the "resilience" aspect...)
18
MUCH to consider in the threat equation and its always changing
Hence why you must ALSO practice consequence risk management
Nation-sponsored hacking: When APT meets industrialization More targeted custom malware (Stuxnet -> Duqu / and FLAME! Are only the beginning)
Misanthropes and anti-socials / hacktivism morphs ANYONE can do it now!
Full time incident response needed: COOP, forensics, reporting, etc, etc Monitoring and analysis capability increase, but not enough (re: near real-time forensics
&chain of custody evidence). continuous monitoring is KEY (re: SCM / SIEM)
-
Verizon Data Breach Investigations Report - DBIR (2014)
19We have met the cyber enemy, and they are US(ers)
10 year series, 63,437 incidents, 1367 breaches, 95 countries
WHAT - 92% incidents described by just nine patterns- shift from geopolitical attacks to large-scale attacks on payment card system
Sectors - Public (47, 479), Information (1132) and Finance (856)
Threats (%) - POS intrusions - 31
- Web App Attacks - 21
- Cyber espionage - 15
- Card Skimmers - 14
- Insider misuse - 8
- Crimeware - 4
HYGIENE Factors
See also - Ponemon Institutes cyber report
Key threats from cost based activities
Malware, malicious insiders and web-based attacks
Forbes lists these: Social Engineering; APTs;
Internal Threats; BYOD; HTML5; Botnets; &
Targeted Malware
A huge sample size! This includes YOUR business category too !!!
Mitigations - restrict remote access
- enforce password policies
- Minimize non POS activity on those terminals
- Deploy A/V (everywhere, POS too)
- evaluate threats to prioritize treatments
- Look for suspicious network activity
- Use two-factor authentication
-
Yes, It really is ALL about the DATA*
2020 Data Vision (Courtesy of Dan Green / SPAWAR ):
Themes and Memes (Technology vs Technology Adoption)
Convergence = Genomics, Robotics, Informatics, Nanotech (each a $B+ market)
Meme: an idea, behavior, or style that spreads from person to person within a culture
Its a data-centric world; thus we need Privacy by Design (PbD)
CBAD = Cloud, Big Data, Analytics, Data Science (are you all-in?)
Telematics = Sensing robotics, Cyber Physical Systems (will kids need to learn to drive?)
Interactive 3D = Augmented Reality, HTML 5, Three.js (3D graphics for WebGL)
Embedded Computing = eHPC, Tessel (mCPU / Java), Programmable hardware
LBS = Location Based Services, IPS, Beaconing, NFC
IoT = Internet of Things, M2M, Quantified Self
Mobilization = Preparation for Conflict/Competition, Autonomy, The Draft
STEM = Science Technology Engineering Math , Generation NOW, Old Dogs (YOU)
* and TRUST!
-
A cyber end-state stresses encapsulation using secure communications
Whats a simple IA/Cyber
vision / end-state look like?
AND what are the requirements?
AND DATA - assured / pedigree / provenance? Privacy satisfied?
Cyber is ALL
about TRUST, Rules/MOAs & State
things
comms
IoT = things + comms
KEY C-I-A entities / touch points
the cloud
(e.g., object oriented programming)
-
22
NSPD-54/HSPD-23: CNCI-1 12 Initiatives(http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative )
Establish a front line of defense
Resolve to secure cyberspace / set conditions for long-term success
Shape future environment / secure U.S. advantage / address new threats
Focus A
rea 2
Focus A
rea 1
Fo
cus A
rea 3
Trusted Internet
Connections
Deploy Passive
Sensors Across
Federal Systems
Pursue Deployment of
Intrusion Prevention
Systems
Coordinate and
Redirect R&D
Efforts
Connect Current
Centers to Enhance
Situational Awareness
Develop Govt-wide
Counterintelligence
Plan for Cyberspace
Increase Security of
the Classified
Networks
Expand
Education
Define and Develop
Enduring Lead Ahead
Technologies,
Strategies & Programs
Define and Develop
Enduring Deterrence
Strategies & Programs
Manage Global
Supply Chain Risk
Define Federal Role for
Cybersecurity in Critical
Infrastructure Domains
Cyber efforts must synchronize with Federal Investments
The HARD part is implementing enterprise integration, interoperability
and controlling emergent behavior - that can affect most focus areas
-
DoD Cyber Priority Steering Council (PSC)
S&T / R&D Roadmap
What matters? Key Capability Gaps / Areas 4+1C
yb
er M
&S
an
d E
xp
erim
en
tatio
n(C
ros
s C
utte
r)
Autonomous responses and C3 Tools
Environment is robust and self-healing
Mixed trust levels in heterogeneous space
Support essential business success functions
Cyber PSC PA-Releasable Briefing
November 2012 Page-23 Gaps are not things / capabilities but integration and interoperability!
-
KEY Enabling Technology Areas
Response and Cyber Maneuver
Visualization and Decision Support
Human Factors and Training
Malware/Forensics Analysis
and Reverse Engineering
Resilient Infrastructure and Comms
Scientific Theory and Measures
Sensing and Data Fusion
Software Pedigree and Provenance
Distributed Trust
Resilient Architectures
Component Trust
Detection and Autonomic Response
Advanced Cross-Domain Solutions
Advanced Cryptography
Quantum Computing, Comms, and
Crypto
Biometrics
Code Verification and Compliance
Correct (Assured) by Construction
Software
Deception and Information Hiding
Recovery and Reconstitution
24
CYBER is fundamentally about
distributed trust / assured DATA / secure messaging!
high
med
low
Value / need
Additional specificity / details and needs / gaps in back-up
-
25
Strategic Cyber Elements
(1) Collaborate on common enterprise IA / cyber strategy and visionpolicy mapped to prioritized capabilities with assigned resources = good enough / cyber sufficiency!
(2) Develop a common overall enterprise risk assessment (ERA) approachaccounts for both significant threat vectors AND vulnerability consequences -> key mitigations
use the NIST RMF (Risk Management Framework (800-37)) weighted in the CNCI-2 12 focus areas
(3) Align and synchronize resources and cyber gaps / initiativesacross federal & commercial organizations and tier 1 tier 3 architecture perspectives (IT & cyber are ONE)
(4) Address pervasive lack of basic cyber hygiene enterprise widewithin the complete, life-cycle aspects of an organizations people, processes and products (technology) enforce a scalable, global access control model, that preserves least privilege, attenuated delegation (ZBAC)
(5) Reduce complexity - Build a trusted cyber infrastructureuse APLs along within the existing IA/CND infrastructure, as an integrated SoS - with enforced CMthus optimize our overall cyber package and ensure synchronization and RESILIENCY!
(6) Better integrate / leverage education and proactive defense (and IO)stealth offense best left to law enforcement, qualified federal entities (or escalation / retaliation will occur)
Top down approach to a balanced,
prioritized cyber execution plan
-
26
SO just what are were trying to orchestrate?
IA
&
CND
An integrated Cyber Defense in Depth / Breadth (DiD) EcoSphereusing dynamic lag and lead feedback, establish proactive, dynamic CND / IA Defense)
Red Teams
Defensive
assessments
forensicfeedback
(lagging
indicators)
Upgrades(developed
& installed)
SA
******
(Sensors,
CNA/E inputs
OpSec,
Intel, etc)
Users
& CoC
predictivefeedback
(leading
indicators)
Cyber I&WVirtual
Storefront
(takes days to months )
NMS / Security
Management tools
Change
soft
settings(takes secs to
mins)
threats
V&V / C&A
CERT / FBI
Incident results
I&W / SCM
insider
threats
IDS / IPS
DLP / etc
se
nso
rs
(near real-time!)
All PbD capabilities (including IoT) must be well integrated into the cyber system
With big data / predictive analytics /
SIEM
-
27
WAN Router
Make IA / CND / Security a commodity:
Use & enforce IA building blocks = APLs/PPLs -> NIAP
Interoperability and Compose-ability are built in upfront
and help dramatically reduce complexity and ambiguity
Thus.establishing known risks & pedigrees:
Reduces attack surface, risks & TOC = baseline for PbD & IoT!
Building a Trusted Cyber Infrastructure= an adequately assured, affordable, net-centric environment
(built from disparate heterogeneous capabilities that we must integrate into a homogenous cyber ecosphere!)
IA Suite
Distribution Router
Core Router
PCEnd user devices
Servers
SANS NetworkDevices
Assured IOS
Various EALEAL 4- 5
EAL 4
Focus on a few
core capabilities & devices
= PC, routers, IA suite, Servers, &
SANS all with access control
EAL 3 - 4
Secure OS
TSM
HBSS
ZBAC
Standard IA/CND suite
FW, A/V, IDS/IPS, CDS, VPN,
Crypto, Key Mgmt, Security Policy
HW / FW
Secure OS kernel
Secure Virtual Machine
Strict access / ZBAC
ALL OSes (MS, Mac, Unix)
Se
cu
rity
Mo
nito
r
EA
L 6
EAL 5 6
Data centric security
Defensive I&W
Strict access / ZBAC
Eval Assur Level (EAL):32 5 6 74
All connections / communication paths need
Assured Identity, Authentication & Authorization
RFID, MEMS,
WSN, sensors,
ICS / SCADA, etc
-
28
IA / Cyber and DATA must be built E2E!
Thus, the DATA, IA/cyber controls, interfaces and profiles in
each element / boundary must be quantified / agreed to upfront!
EnterpriseSiteEnclaveNetwork
SoS
Apps /
services
HW/SW/FM
CCE
Each sub-aggregation is responsible for the data / controls within their boundaries
and also inherit the controls of their environment, were we need to formalize the
reciprocity therein!
WE have a natural hierarchy in our enterprise IT/network environment,
where complexities arise in the numerous interfaces and many to many
communications paths typically involved in end-to-end (E2E) transactions
DATA
AND, People and
processes TOO!
How does the DATA move and what are the
privacy protections / controls at each layer?
-
Notional Data Centric Architecture (DCA)iso the required privacy needs
DATA Storage Services Apps Host /
devicetransport
IA / Security / cyber (e.g., defense in depth (DiD))
IA controls / inheritance
Business logic
MiddlewareBehavior monitoring
Supports quality / assured data (with a pedigree / provenance)
Data is either at rest, being
processed OR in transit
Must account for the four Vs
Volume, Variety, Velocity and Veracity
FW / IDS / IPSSCM - Continuous monitoring
A PbD Cyber Model translates the data 4Vs into privacy attributes and controls
What IA/security capabilities
are needed for the DATA itself?
Cyber must be preserved in the full
data AND capabilities life-cycle
OMG / DDS
How does the DATA move about?
Must accommodate
BOTH in-house and
cloud
Reputation-based Security
-
DCA major elementsData-centric architecture (DCA) decouples designs and simplifies communication while
increasing capability and easing system evolution DCA can link systems of systems into
a coherent whole, using an open standard OMG DDS Transports, operating systems,
and other location details do not need to be known, and allowing adaptation to performance,
scalability, and fault-tolerance requirements
Define and modularize DCA components = create specifications (capabilities and profiles)
DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets,
storage SW, middleware, services, ESB, etc these all also have cyber security
aspects built in
Use OMG / DSS as a reference AND - the data schema / tagging authoritative sources
SECURE DCA services = Data Centric Security (DCS)
http://i.opensystemsmedia.com/?bg=ffffff&q=90&w=871&f=jpg&src=http://attachments.opensystemsmedia.com/MES4284/tables/1http://i.opensystemsmedia.com/?bg=ffffff&q=90&w=871&f=jpg&src=http://attachments.opensystemsmedia.com/MES4284/tables/1
-
DCA / DCS Overall Construct(need to V&V that security is built in / adequate in services)
Web ServicesEvent
processingDatabase
ESBWorkflow
engine
Legacy
Bridge
***
***
DATA bus (DDS middleware infrastructure) & DCS services)
+ Standard IA / CND / security suite = IA devices = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN
+ Network infrastructure = CCE = common core computing / network environment - with IA enabled devices
Other services / capabilities
Data to user authentication
Signed / secure applications
protected communications
Authoritative / assured DBs
Virtual private data-stores (e.g., VPNs)
Cryptographic boundaries for isolation
Target Java and .NET for enterprise stacks
A PbD cyber model must map the data methods, controls, & services into privacy aspects.
-
Data centric services and cloud evolutionownership and security
32
On-premises
Pre-cloud
You m
anage
Yo
u m
anage
Application
Data
Middleware
OS
Virtualization
CPU/Storage
Networking
Application
Data
Middleware
OS
Virtualization
CPU/Storage
Networking
Ve
nd
or
ma
na
ge
d
You m
anage
Application
Data
Middleware
OS
Virtualization
CPU/Storage
Networking
Vendor
managed
Application
Data
Middleware
OS
Virtualization
CPU/Storage
Networking
Vendor
manage
d
Infrastructure
as a service
Cloud v1
Platform
as a Service
Cloud v2
Software
as a service
PaaS objective for combined / hybrid environments (with premise and cloud)
Securing the data & application layers can inoculate them from lower layer risks
-
Kerberos
PKI
Token
Digital CertificateThin Clients
Biometrics
HIPPA
VPN IPSEC
SSL
Hardening
Cloud
XML Gateways
Secure Collaboration
Compliance
Secure Blades
H/W Crypto
SOX
DAC
RSBAC
FIPS 140-2
Trusted OS Guards
Cyber Security
SaaS
Wireless
Cyber Security is Complex from a Technical PerspectiveWhat factors must be addressed in PbD?
Which ones are inherent in the IA/CND/Cyber suite?
(From an IBM security brief)
-
+++ Cyber Model for PbD +++
Standard IA / CND suite = IA devices = Firewall, A/V, IDS/IPS, Crypto / Key Management, & VPN
Typical Network infrastructure = CCE = common core computing environment(with IA enabled devices properly set-up - operating systems , database management systems, network management systems and web browsers)
Monitoring, tracking, assessment = SCM / SIEM, DLP / RBS, R-T C&A/V&V, etc
Data Centric Security (DCS) enabling PbD
+ Data Encryption end2end focused on services / applications (PaaS model)
+ Multi-factor authentication - add time, location, etc (re: RAdAC end-state)
+ Security Policy management Automated, serve multiple avatar levels in PbD
+ Application engineering - Common model for services, apps, phones, APIs, etc
+ are added on top of the IA/CND/Security cyber suite
Use existing products in each + capability we have several favorites;-))
(AND an integrated AI/smart correlation / POA&M tool mapped to NIST cybersecurity framework functions / tiers)
http://www.sciap.org/blog1/wp-content/uploads/Privacy-PAYS-4-cyber.pdf
http://www.sciap.org/blog1/wp-content/uploads/Privacy-PAYS-4-cyber.pdf
-
35
Key Tactical Thrusts to DO Now
COMMON national cyber security approach / end-state
Consequence based enterprise risk assessment (dont chase threats)
Dynamic Cyber Enterprise Management (enforced hygiene)KEY capability security continuous monitoring (SCM) (cant manage what you cant measure)
Top-down enforcement of IA / Cyber architecture Secure enterprise access control / ENFORCE least privilege (re: ZBAC) / Cyber IFF
Common enterprise trust model (and implement TPMs, etc)
Reduce complexity - use APLs / VPLs / IA Building blocks with pedigrees
USE SCM to manage your IA/cyber suite quasi real-time with SME help!
Effective lifecycle education and training Targeted training user awareness and IA/cyber SMEs (who manage it all)
High impact activities get us all moving quickly
95%security
incident
reduction
YES!
95+%
YES!
95+%
-
36
What is Cyber Hygiene ?(and the HUGE percentage of security incidents caused by lack of it)
National Security Agency (NSA) (80-85%)
NSA IAD director Just improving the IA Management aspects of security (aka,
hygiene factors) will reduce security incidents by over 80%
IA Management = CM, monitoring environment , follow SOPshttp://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf
http://www.sans.org/critical-security-controls/guidelines.php
Verizon (2012 Data Breach Investigations Report) (up to 97%)
Report covered 855 incidents, 174 million compromised records
--- Breaches almost entirely avoidable through simple or intermediate controls
Threats: 98% from external agents, 81% from hacking 69 % used malwarehttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Navy (our red team / NCDOC) (over 90%)
Poor accountability factors = willful misuse, lack of CM (& IAVA / patches) , not
having / following procedures, weak enforcement of policy, etc
They must spend all their time / resources fixing the easy vulnerabilities
HYGIENE = Maintaining / monitoring your IA / Security / cyber equipment settings
As any incorrectly set cyber capabilities makes them much less effective!
http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdfhttp://www.sans.org/critical-security-controls/guidelines.phphttp://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
-
Cyber Hygiene the many faces of neglectOur IA/CND/Security cyber suite is quite good IF maintained!
Equipment settings
(FW, A/V, IDS, etc)
Monitor / enforce
Standard operating
procedures (SOPs)
USE / enforce them
Social media
Content & settings
Restrict sharing / privileges
Security Awareness
ALL levels reinforce
Incentivize good vs bad
Privacy and PII
Enforce policy (note - EU is stricter)
Incident reporting
No incident too small
Notify USCERT / FBI
You cannot buy cyber security
(assuming you have an adequate IA/CND//Security/Cyber suite)
YOU must manage Cyber actually DO and verify it!
Controlled Access
Enforce least privilege
Separate / rotate duties
Know your security baseline
AND employ SCM / SIEM
Maintain Cyber Suite
Patches, upgrades, etc
(compliance == securityWill lack of cyber hygiene
continue to put you at
MUCH greater risk?
-
Security Continuous monitoring (SCM)
38
- What is SCM anyway?SCM is ongoing observance with intent to provide warning. A SCM capability is the ongoing
observance and analysis of the operational states of systems to provide decision support regarding
situational awareness and deviations from expectations
SCM is a risk management approach to Cybersecurity that maintains a picture of an
organizations security posture, provides visibility into assets, leverages use of automated data feeds,
monitors effectiveness of security controls, and enables prioritization of remedies.http://scap.nist.gov/events/2011/cm_workshop/presentations/pdf/DULANY%20-%20CM%20Brief16%20Mar.pdf
An Enterprise SCM technical reference model (based on Continuous Asset Evaluation, Situational Awareness and Risk Scoring Reference Architecture Report)
http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdf
- What good is it? MANY ROI benefits: Real-time awareness of security posture, cyber benchmarking,
complements audit / compliance efforts, improves cyber performance, and reduces risk expose simples
risk management overall.. Third party IV&V monitors of hygiene AND potential new threats!http://raw.rutgers.edu/docs/wcars/23wcars/presentations/Mike%20Cangemi-The_Benefits_of_Continuous_Monitoring_edited_final_8-11[1].pdf
- WHO does this now, where do I go for help? DISA and DHS have efforts in play already (DHS is funding continuous monitoring as a service (CMaaS)).
State department DID early SCM several years ago, reduced C&A costs over 90%http://www.disa.mil/scm http://www.gao.gov/new.items/d11149.pdf
http://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-surveillance-systems-every-department/60445/
- SCM is mandated for government entities (FISMA / DOD CIO / DHS / others)
SCM is a cyber / risk management tool and provides added due diligence
stopping short of get out of jail free keeps you from being the low hanging fruit!
http://scap.nist.gov/events/2011/cm_workshop/presentations/pdf/DULANY - CM Brief16 Mar.pdfhttp://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdfhttp://raw.rutgers.edu/docs/wcars/23wcars/presentations/Mike Cangemi-The_Benefits_of_Continuous_Monitoring_edited_final_8-11[1].pdfhttp://www.disa.mil/scmhttp://www.gao.gov/new.items/d11149.pdfhttp://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-surveillance-systems-every-department/60445/
-
39
Mobile Security perspective
http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf
Key Issue / Risk Findings:
Extensive use of mobile devices connecting to corporate networks--89% have mobile devices such as smartphones or tablets connecting to corporate networks
--Apple iOS is the most common mobile platform used to connect in corporate environments
Personal mobile devices that connect to corporate networks are extensive and growing--65% allow personal devices to connect to corporate networks
--78% have more than twice as many personal devices on corporate networks vs 2 years ago
Security risks are on the rise because of mobile devices--71% say mobile devices have contributed to increased security incidents
--The Android mobile platform is considered to introduce the greatest security risks
Employee behavior impacts security of mobile data--47% report customer data is stored on mobile devices
--Lack of employee awareness about security policies ranked as greatest impact on data security
--72% say careless employees are a greater security threat than hackers
. Contrast that 75%+ of users with personal devices with the percentage of employers who have a coordinated and comprehensive mobile security strategy in place (10%), and you see the problem
*** NSA/CSS Mobility Capability Package = Architecture / Certification - a MUST DO *** http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_3.pdf
Check Points global survey of 768 IT professionals conducted in the United States, Canada, United
Kingdom, Germany, and Japan. The survey gathered data about current mobile computing trends
Mobile / wireless are HUGE threat entry points!
--- BYOD is NOT cheap ---
http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_Vers_2_0.pdf
-
40
GAO report on mobile vulnerabilities KEY risks / concerns:
Mobile devices often do not have passwords enabled.
Two-factor authentication is not always used when conducting sensitive transactions.
Wireless transmissions are not always encrypted.
Mobile devices may contain malware.
Mobile devices often do not use security software.
Operating systems may be out-of-date.
Software / patches on mobile devices may be out-of-date.
Mobile devices often do not limit Internet connections. Many mobile devices do not have
firewalls to limit connections.
Mobile devices may have unauthorized modifications. (known as "jailbreaking" or "rooting")
Communication channels / Bluetooth may be poorly secured.
Major protection methods:
Enable user authentication: Enable two-factor authentication for sensitive
transactions: Verify the authenticity of downloaded applications: Install
antimalware and a firewall: Install security updates: Remotely disable lost or
stolen devices: Enable encryption for data on any device or memory card: Enable
whitelisting (on phones too!) : Establish a mobile device security policy: Provide
mobile device security training: Establish a deployment plan: Perform risk
assessments: Manage hygiene = configuration control and management:
http://www.networkworld.com/news/2012/091912-mobile-security-262581.html
--- BYOD is NOT cheap ---
-
Cloud Security Factoids
Areas that will mature soon, enhancing enterprise risk management (re: Gartner): Consensus on what constitutes the most significant risks,
Cloud services certification standards,
Virtual machine governance and control (orchestration),
Enterprise control over logging and investigation,
Content-based control within SaaS and PaaS, and
Cloud security gateways, security "add-ons" based in proxy services
We recommend following both the NIST and CSA cloud guidance:https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf
http://csrc.nist.gov/publications/PubsSPs.html
AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)
The cloud security challenges are principally based on:a. Trusting vendor's security model
b. Customer inability to respond to audit findings
c. Obtaining support for investigations
d. Indirect administrator accountability
e. Proprietary implementations can't be examined
f. Loss of physical control
Cloud Security Alliance (CSA) nine critical threats:1. Data Breaches 2. Data Loss
3. Account Hijacking 4. Insecure APIs
5. Denial of Service 6. Malicious Insiders
7. Abuse of Cloud Services 8. Insufficient Due Diligence
9. Shared Technology Issues
Shift from only protecting the
network, to the DATA itself!
(e.g., data centric security)
https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdfhttp://csrc.nist.gov/publications/PubsSPs.html
-
Cloud Security SummarySecurity in the cloud is likely better than you have in-house
* Security is the SAME everywhere WHO does which IA controls changes
For more details see paper: Cloud Security What really matters? At http://www.sciap.org/blog1/ (under Cyber Body of Knowledge )
* Dont sell cloud offer security capabilities instead end2end services
* Few are all in the cloud @ 100% - Hence TWO environments to manage
* ALL must use the same cloud security standards (and QA in SLA)http://www.sciap.org/blog1/wp-content/uploads/Cloud-Security-Standards-SEP-20131.xlsx
* Implement SCM / SIEM integrate cloud metrics / status (& QA the SLAs)
* Service Level Agreements (SLA) not sufficient trust but verify (Orchestration SW ?)
* Encrypt everywhere - Yes more key management, but risks greatly reduced
* Data owners always accountable for PII / privacy / compliance (& location)
* Update Risk management Plan (RMP) = Comms, COOP. with cloud R&Rhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
http://www.sciap.org/blog1/http://www.sciap.org/blog1/wp-content/uploads/Cloud-Security-Standards-SEP-20131.xlsxhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
-
43
Integration, execution is everythingas if you cant implement well, it costs you everywhere!!!
The quantitative benefits of systems integration and interoperability (I&I) are:
1. Shorter/reduced steps in business processes
2. Time taken to process one application/record
3. Less complaints from members of the public
4. No. of applications/records processed over a period
5. Less complaints from end- users
6. Reduced number of errors
7. Reduced software development time/effort
8. Reduced maintenance
9. Reduced no. of IT personnel
The qualitative benefits of I&I are:
1. Improved working procedures
2. Better communication with other related organizations
3. Job satisfaction
4. Redefine job specification
5. Improved data accessibility
6. One-stop service
7. More friendly public service
The best capability means little, if it stays in the box
Until the user is happy using
& benefitting from the new
capability, it has no value
Buying stuff is easy
getting it to work in your
environment is hard
Plan for I&I -
then double it
-
SO what MUST WE ALL DO???NISTs absolutely necessary Security Protections
NIST - National Institute of Standards and Technology - NISTR 7621
Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, encryption, etc)
Provide security for your Internet connection / ISP Install and activate software firewalls on all your business systems Patch your operating systems & applications (and now things too!) Make backup copies of important business data/information Control physical access to your computers and network components Secure your wireless access point and networks Train your employees in basic security principles Require individual user accounts for each employee on business
computers and for business applications Limit employee access to data and information, and limit authority
to install software
44
MUST DO tasks consider this your due diligence list
Where ALL have CM / hygiene aspects
http://csrc.nist.gov/publications/drafts/nistir7621-r1/nistir_7621_r1_draft.pdf
http://csrc.nist.gov/publications/drafts/nistir7621-r1/nistir_7621_r1_draft.pdf
-
Cyber Security Best Practices Overview(Best practices are not a panacea just a guide = to DO the basics)
Quantify your business protection needs do you have an asset inventory? Determine what is good enough or minimally acceptable for your business Quantify your environments threats and vulnerabilities Have a security policy thats useful, complete, CEO/leadership endorsed Run self-assessments on security measures (use accepted tests, STIGs,
PenTests, etc) and compliance (HIPAA, PCI, CFR, SOX, etc) Training and awareness programs much needed, but not a guarantee
45
As, you can somewhat control what you plan,
but you usually ONLY get what you enforce!
TEST your BCP, COOP, recovery plans, backup have you ever restored? Encrypt where you can - asses where / how you need it : IM, e-mail, file
transfer, storage, backup, etc) Be familiar with / USE the NIST IA/Security series they are very good! DO / check / enforce the cyber basics (re: hygiene, access control, simplify & SCM) Reduce complexity use only approved / preferred products lists (A/PPLs) A risk management plan (RMP) - using both threats AND consequences
-
46
What can you DO right now?Ready for immediate implementation = 95+% incident reduction
1- Install tools/scripts to catch USERS mistakes.. lock down the end devices, (only allow root admin to install anything..) Use effective access control (enforce least privilege!)
2 Manage the browser as THE threat vector... (80% of malware comes through here)Have ONE secure browser version (IE9), use the guest account (force downloads to one folder), andmanage a specific settings profile (to manage active code / Java, etc)Implement a deny all access approach, allow URLs using only a controlled white list (no this is NOT hard to do!)
Cyber continues to be about US ALL doing the basics
3 - Run tools / application firewalls to minimize zero-day problems, and enforce CM/hygiene, along with "defensive I&W" monitoring tools (re: SCM / SIEM - #5)
4 KISS / reduce IA complexity only buy cyber products off APLs/PPLs (they have pedigrees / C&A already!) And USE their security features like TPM!!
5 USE a security continuous monitor (SCM) firm for real-time scans for both current vulnerabilities (SQL injection, et al) and new threats... (where the firm has feeds/data from US CERT, etc, so they are always current on new threats / zero day problems)
6 If you make IT stuff, build IA/security in, there are lots of simple guideshttp://www.sans.org/critical-security-controls/guidelines.phphttp://www.sans.org/top25-software-errors/Were STILL lax.. Goggle DarkReading Real-World Developers Still Not Coding Securely
-
Overall Way Forward(given all the unknowns, variables this is one approximately correct path;-))
Company Vision embedded in Cyber Plans/RMP know where you are going, where the passion is /what the USER values
Hope is Not a Strategy -re: 2012 Annual DDoS Attack and Impact Survey!
47SO Quit admiring the cyber problem / threat and start DOING something!
Risk Management Plan RMP Use NISTs RMF (or COBIT)! Have a dynamic, realistic RMP supporting your
business success metrics as you ARE betting your livelihood on cyber!
Effective, enforced Policy Embedded in core business success factors, rules to enforce statutory, legal
mandates, key processes, to enforce behavior (pos & neg incentives)
The Basics, basics, basics New toys matter little, if your environment(s) are not managed (SCM / SIEM!)
Poor hygiene / CM causes almost ALL security incidents ( 80 - 97% )
-
Cyber Security opportunities(Cyber can both protect your business AND enhance the bottom line!)
IT / Cyber Global factors user pull
World-wide B2BTrust / cloud / sharing
IoT / M2M Automation / Sensors
Consumerization of ITPhones / wireless / apps
Privacy / DataIP / PII / compliance
GAPS / Needs(from the Federal cyber priority council S&T gaps)
TRUSTDistributed / MLS
ResiliencySW / apps / APIs / services
Agile operations BE the vanguard / integration
Effective missionsBusiness success factors
Vulnerabilities / Threats(Verizon BDR, Forbes, etc threat reports - what ails us most)
CM / Hygienepatching / settings
Access controlAuthentication is key
Top security mitigations Whitelist, patch, limit access, etc
Risk MgmtAdhoc / not global
Future Opportunities
SIEM / SCMQA hygiene / sensors
ESA / simple tools!
Mobile SecurityPoor apps / IOS weak
billions users = volume
Mitigate ObsolescenceMinimize patching, legacy vulnerabilities
OA / modularity / APIs & SCRM
Data SecurityPredictive analytics
Privacy by design
Effective Business Risk Management (BRM) = cybersecurity framework (CMMI / FAR)Focus on reducing business risk Managed security services (MSS) & cyber insurance
-
49
SUMMARY
SO. What really matters in Cyber?
DO the cyber BASICS well, for things, people AND processesinvest in select new capabilities, protect privacy and follow your RMP!!!
Take ACTION NOW: (1) security assessment, (2) SCM/SIEM, & (3) Cyber insurance!
OSD / federal S&T activities Distributed Trust
Resilient Architectures
Response and Cyber Maneuver
Visualization and Decision Support
Dynamic policy management (RaDaC )
Detection and Autonomic Response
Recovery and Reconstitution
NSA / agency S&T activities Mobility, wireless, & secure mobile services
Platform integrity / compliance assurance
End client security
Cyber indications and warning (I&W)
Mitigation engineering (affordability)
Massive data (date centric security)
Advanced technology. (targeted)
Virtualization secure capabilities
Doing the BASICS:
(1) enforced cyber hygiene,
(2) effective access control,
(3) reduced complexity in IA /
cyber (APLs / NIAP / approved products), (4) IA / Cyber SCM / CDM / SIEM(ongoing diagnostics AND mitigations = CDM)
Its all about TRUST and DATA
*** ***
Its NOT all about expensive new
cyber capabilities
but more about the SoS / I&I glue
-
50
-
51
Cyber security URLs / links of interest..
Major cyber / IA sites
https://infosec.navy.mil
http://www.doncio.navy.mil/TagResults.aspx?ID=28
http://iase.disa.mil/Pages/index.aspx
http://csrc.nist.gov/publications/PubsSPs.html
http://www.nsa.gov/ia/index.shtml
https://cve.mitre.org/
http://www.cisecurity.org/
http://www.cert.org/
http://www.commoncriteriaportal.org/
https://www.thecsiac.com/resources/all
http://www.dhs.gov/topic/cybersecurity
http://iase.disa.mil/stigs/Pages/index.aspx
http://niccs.us-cert.gov/
https://www.sans.org/programs/
http://www.cerias.purdue.edu/
https://www.cccure.org/
http://www.rmf.org/
http://nvd.nist.gov/
Others of interest
https://www.cool.navy.mil
http://www.threatstop.com/
http://www.darkreading.com/
http://www-03.ibm.com/security/xforce/
http://www.iso27001security.com/
http://iac.dtic.mil/csiac/ia_policychart.html
http://www.nascio.org/
some training sites:http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.aide.html
http://iase.disa.mil/eta/online-catalog.html#fsotools
http://iase.disa.mil/eta/cyberchallenge/launchPage.htm
http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html
http://www.microsoft.com/security/sdl/default.aspx
-
52
IA/Security Axiomsto consider / accommodate / educate
Security and complexity are often inversely proportional.
Security and usability are often inversely proportional.
Good security now is better than perfect security never.
A false sense of security is worse than a true sense of insecurity.
Your security is only as strong as your weakest link.
It is best to concentrate on known, probable threats, first
Security is an investment (insurance), not an expense with an RoI
Security is directly related to the education and ethics of your users.
Security is a people problem users stimulate problems, at all levels.
Security through obscurity is weak & We can NOT always add security later
http://www.avolio.com/papers/axioms.html
Work through all these in
your Risk Management Plan!
Who says what we MUST DO?
From a business DUE CARE / due diligence level Collectively: NIST NSA SANS etc - the following slides provide details
http://www.avolio.com/papers/axioms.html
-
NISTs Highly Recommended Practiceshttp://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
Policy / practice for email attachments and requests for sensitive information
Policy / practice for web links in email, instant messages, social media, or other means
Policy / practice for popup windows and other hacker tricks Doing online business and secure banking Recommended personnel practices in hiring employees Security considerations for web surfing, prohibited sites Policy / practice for downloading software from the Internet How to get help with information security when you need it How to dispose of old computers, media and fax machines How to protect against Social Engineering, data loss prevention
53
WHAT, more to do? YES, but most are related to standard IA/CND mitigations...
-
NSA IAD top ten controls
54
1 - Application whitelisting - only run approved apps (that SysAdmin reviews)
2 - Control Administrative privileges - minimize escalation, enforce least privilege
3 Limit workstation-to-workstation communications thwart the pass-the-hash
4 Use Anti-virus File Reputation Services leverage cloud-based threat databases
5 Enable Anti-Exploitation Features - for example, MS Windows EMET
6 Implement Host Intrusion Prevention System Rules focus on threat behaviors
7 Set a Secure Baseline Configuration layered security, standard images, etc
8 Use Web Domain Name Service (DNS) Reputation Screen URLs, intrusion
alerts
9 Use/Leverage Software improvements software / OS upgrade and patch policy
10 Segregate Networks and functions based on role, functionality monitor
sections, then isolate when attacked
http://www.sans.org/security-resources/IAD_top_10_info_assurance_mitigations.pdf
https://www.google.com/url?q=http://www.sans.org/security-resources/IAD_top_10_info_assurance_mitigations.pdf
-
SANS top 20 controls (ver 3)
55
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5: Boundary Defense
6: Maintenance, Monitoring, and Analysis of Security Audit Logs
7: Application Software Security
8: Controlled Use of Administrative Privileges
9: Controlled Access Based on the Need to Know
10: Continuous Vulnerability Assessment and Remediation
11: Account Monitoring and Control
12: Malware Defenses
13: Limitation and Control of Network Ports, Protocols, and Services
14: Wireless Device Control
15: Data Loss Prevention
16: Secure Network Engineering
17: Penetration Tests and Red Team Exercises
18: Incident Response Capability
19: Data Recovery Capability
20: Security Skills Assessment and Appropriate Training to Fill Gaps
http://www.sans.org/critical-security-controls/
http://www.sans.org/critical-security-controls/
-
Top 35 Mitigations
56http://www.asd.gov.au/infosec/top35mitigationstrategies.htm
At least 85% of the targeted cyber intrusions the Australian Signals
Directorate responds to could be prevented by following the Top 4
mitigation strategies : use application whitelisting to help prevent malicious software and other
unapproved programs from running
patch applications such as PDF readers, Microsoft Office, Java, Flash Player
and web browsers
patch operating system vulnerabilities
minimize the number of users with administrative privileges.
Examples of Targeted Cyber Intrusions mitigation strategies :Disable local administrator accounts; Multifactor authentication; Network segmentation and segregation; Application based workstation firewall; Hostbased Intrusion Detection/Prevention System; Centralized and timesynchronized logging; Whitelisted email content filtering; Web domain whitelisting for all domains;
Workstation application security configuration hardening; User education; Computer
configuration management ; Server application security configuration hardening;
Antivirus software with up to date signatures; Enforce a strong passphrase policy;
ETC; Etc; etc..
http://www.asd.gov.au/infosec/top35mitigationstrategies.htm
-
Top 25 SW development errors
57
[1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2] Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection')
[3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[5] Missing Authentication for Critical Function
[6] Missing Authorization
[7] Use of Hard-coded Credentials
[8] Missing Encryption of Sensitive Data
[9] Unrestricted Upload of File with Dangerous Type
[10] Reliance on Untrusted Inputs in a Security Decision
[11]Execution with Unnecessary Privileges
[12]Cross-Site Request Forgery (CSRF)
[13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[14] Download of Code Without Integrity Check
[15] Incorrect Authorization
[16] Inclusion of Functionality from Untrusted Control Sphere
[17]Incorrect Permission Assignment for Critical Resource
[18] Use of Potentially Dangerous Function
[19] Use of a Broken or Risky Cryptographic Algorithm
[20]Incorrect Calculation of Buffer Size
[21] Improper Restriction of Excessive Authentication Attempts
[22] URL Redirection to Untrusted Site ('Open Redirect')
[23] Uncontrolled Format String
[24] Integer Overflow or Wraparound
[25] Use of a One-Way Hash without a Salt
http://cwe.mitre.org/top25/
Must BUILD IA IN
This starts with SW.. AND
Applies to Apps / Services
http://cwe.mitre.org/top25/
-
58
in general, companies must provide a commensurate security level as the government site
they are going to do business with... (see NIST & GSA & FISMA web sites below)
This NIST provides a good overview of the government requirements, which in general
needs to be met by companies connecting to government sites iso services provided... http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Information Security rules by GSAhttp://www.gsa.gov/portal/content/104257
FISMA rules / regulations are also representative of items to be assessedhttp://csrc.nist.gov/groups/SMA/fisma/index.html
VA has a contract clause that's fairly standardhttp://www.iprm.oit.va.gov/docs/Appendix_C.pdf
The education department has a good overview of requirementshttp://www2.ed.gov/fund/contract/about/bsp.html
New LAWs - Government Contractors Subject to Cybersecurity Regulations More are on the Wayhttp://www.scribd.com/doc/89226369/Government-Contractors-Now-Subject-to-Cybersecurity-Regulations-%E2%80%93-
And-More-are-on-the-Way
Small business security overview (and detailed brief on the major security product details too)http://www.sciap.org/blog1/wp-content/uploads/Small-Business-Security-ADT-Cluster-v4_Mike_Davis_July_26_2011.pdf
What small businesses need to know about cyber
security before they can offer services to the government
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdfhttp://www.gsa.gov/portal/content/104257http://csrc.nist.gov/groups/SMA/fisma/index.htmlhttp://www.iprm.oit.va.gov/docs/Appendix_C.pdfhttp://www2.ed.gov/fund/contract/about/bsp.htmlhttp://www.scribd.com/doc/89226369/Government-Contractors-Now-Subject-to-Cybersecurity-Regulations-%E2%80%93-And-More-are-on-the-Wayhttp://www.sciap.org/blog1/wp-content/uploads/Small-Business-Security-ADT-Cluster-v4_Mike_Davis_July_26_2011.pdf
-
59
How to find / bid on government contracts
MUST have DUNS number or Cage Code (and capability statement/documents)
Central source for SBAhttp://www.sba.gov/content/federal-contracting-resources-small-businesses
+++ System for Award Management
(SAM register here first / asap.. it drives many other processes)https://www.sam.gov/index.html
FedBizOppshttps://www.fbo.gov/
SPAWAR small business opportunitieshttp://www.public.navy.mil/spawar/Documents/Small_Business/SPAWAR_3_year_Acquisition_Forecast_22_May_2013.pdf
Federal Procurement Data Systemhttps://www.fpds.gov/fpdsng_cms/
Dynamic Small Business Searchhttp://dsbs.sba.gov/dsbs/search/dsp_dsbs.cfm
Interested in the SBIR / STTR programs, See information in the overview offered belowhttp://www.navysbir.com/overview.htm
You REALLY need an effective business plan to show clients and investors the big picture.http://100startup.com/resources/business-plan.pdf
http://www.sba.gov/content/federal-contracting-resources-small-businesseshttps://www.sam.gov/index.htmlhttps://www.fbo.gov/http://www.public.navy.mil/spawar/Documents/Small_Business/SPAWAR_3_year_Acquisition_Forecast_22_May_2013.pdfhttps://www.fpds.gov/fpdsng_cms/http://dsbs.sba.gov/dsbs/search/dsp_dsbs.cfmhttp://www.navysbir.com/overview.htmhttp://100startup.com/resources/business-plan.pdf
-
60
Computer Network Attack / Exploit
Provide near-real time OPSEC to IA Effectively leverage the black side Intel into unclass protections
Establish a War Reserve Mode? We have WARM elsewhere, whats that in cyber?
Fusion of diverse data, into KM we can use All sensors, CNA/E effets, OpSec, Intel, etc = improved IA/CND
Cant easily / rapidly tell WHO the bad actors are.. Offensive activities best done by NCA / Cybercom, COCOMs
Cyber War / ROE undefined, asymmetric nature = lose-lose
Offensive cyber methods / tools / activities
best used covertly by a skilled few
-
61
Key cyber capabilities to develop(think secure comms / messaging - here proposed wrt top tier ETAs)
Distributed Trust --- Enable secure distributed interactions by establishing appropriate levels of trust among remote devices, systems, or users . supports:
Models and Protocols for Trust Establishment; Infrastructure; Dynamic Evaluation; Out-of-
Band and Physical Trust Maintenance
Resilient Architectures --- Enable functional capabilities to continue despite successful disruption or compromise by the adversary . supports: Morphing Engines
Generating Unpredictability; Secured Network Storage; System Decomposition for Mission-
Tailored Tools; Response and Cyber Maneuver
Visualization and Decision Support --- Enable human decision-makers to quickly understand the security and operational implications of the current situation and to
rapidly ascertain the best course of action to pursue . supports: Real-Time Analysis
Engines ; Common Operational Framework; Holistic Cognitive Environment
Response and Cyber Maneuver --- Enable defenders to perform shaping operations that minimize the attack space and frustrate adversary planning and to take
action during attacks to block, disrupt, remove, or counter adversary actions.
supports: Polymorphic Technologies; Cyber Obfuscation; Network Agility
Net-centric Cyber Security = SoS and I&I aspects
-
62
OTHER cyber capabilities (2nd tier)
Detection and Autonomic ResponseTechnologies that analyze data collected about the ongoing state of networks, hosts, applications, data, or user
actions, and evaluate whether it represents known or probable malicious activity. Technologies that select
and invoke immediate defensive actuators in real-time in response to a stream of detected events, without the
need for human input.
Complex Attack Pattern Recognition, Trustworthy, Intelligent Agents, Game Theoretic Methods
Recovery and Reconstitution Technologies that restore system trust, capabilities, and reserves to fully functional and normal levels after
disruption, damage, or depletion due to cyber attack or effects of a defensive response. Technologies that
restore or reconstruct lost or tainted information as closely as possible to its previous undamaged state or to
what is current and accurate.. Technologies that trace functions, results, or decisions that may have been
affected by damaged information and restore or compensate as appropriate.
Bio-inspired self-inoculation , Synchronize repair activities without interrupting ongoing mission
progression or priorities, Asymmetric redundancy using distributed trust as a recovery metric/mechanism.
Component TrustTechnologies and methodologies that establish a basis for determining and quantifying the likely
trustworthiness of acquired hardware or software products that have been constructed outside an
organizations control, by methods such as external and internal physical examination, execution monitors, and
supply chain risk countermeasures.
Hardware/software DNA that vouches for a components authenticity (re: enhanced TPM),
White-listing of trusted hardware/software components, Root of trust, etc
Integration and Interoperability aspects are HUGE
-
Trust (U)
(U) Objective: Develop measures of trustworthiness for components within the cyber infrastructure and to large systems where components and participants having varying degrees of trustworthiness
Cyber PSC PA-Releasable Briefing
November 2012 Page-63
* Scalable reverse engineering and analysis * Develop tools that validate and verify hardware chip, firmware and software functionality
* Develop tools for interoperable and scalable forensic analysis
* Trust establishment, propagation, and maintenance techniques * Develop techniques to establish trust anchors within components
* Develop algorithms to describe, establish, propagate, and revoke trust with distributed reputation
management
* Develop algorithms and mechanisms to manage dynamic and transitive trust relations with
coalition partners
* Measurement of trustworthiness* Develop quantitative techniques to enable context-aware dynamic trust scoring of components
and systems
* Develop composite measures of trust
* Development of trustworthy architectures and trust composition tools* Develop trust architectures that can self attest to their required trust properties
* Create techniques to build trustworthy systems from untrustworthy components
-
Resilient Infrastructures (U)
(U) Objective: Develop integrated architectures that are optimized for the ability to absorb shock and the speed of recovery to a known secure state
Cyber PSC PA-Releasable Briefing
November 2012 Page-64
* Resiliency for operational systems* Develop efficiency-, risk-, and cost-based approaches to manage real-time tradeoffs among
redundancy, randomization, diversity, and other resiliency mechanisms
* Mechanisms to compose resilient systems from brittle components* Develop architectural foundations to compose and manage services in massive environments
* Develop resiliency-aware abstraction layers that provide dynamic, threat-based component
integration
* Integration of sensing, detection, response, and recovery mechanisms* Develop automated response tools using information correlated across the infrastructure
* Develop algorithms for management and outcome analysis of resiliency properties of systems
* Secure modularization and virtualization of nodes and networks * Enable heterogeneity at the hardware, hypervisor, operating system, and application layers
* Develop robust cloud architectures to resist intrusions of potentially hostile elements
* Develop algorithms for real-time reconstitution based on dynamic feedback of macro-level resilience
and health
* Resiliency-specific modeling and simulation techniques* Enable the measurement and analysis of systems quantifiable resiliency properties
-
Agile Operations (U)
(U) Objective: Speed the ability to reconfigure, heal, optimize, and protect cyber mechanisms via automated sensing and control processes
* Techniques for autonomous reprogramming, reconfiguration, and control of cyber
components* Develop approaches for autonomous policy-driven reconfiguration using ontologies and control loops
* Machine intelligence and automated reasoning techniques for executing course of
action* Develop time-constrained automated control loops that select and execute actions within a goal-
seeking framework
* Techniques for mapping assets and describing dependencies between mission
elements and cyber infrastructure* Develop sensors, specification languages, and machine learning for near real-time cyber situational
awareness
* Design static and dynamic models and supporting languages that relate cyber and kinetic domains
* Develop near real-time mission analysis tools to support combined cyber/kinetic operations
* Techniques for course-of-action analysis and development* Develop modeling and simulation techniques for assessment of asset criticality and effects
* Design game-theoretic approaches to predict adversarial behavior
* Develop tools for mission simulation, rehearsal, and execution support
* Cyber effects assessment* Develop probing, detection, correlation, and visualization techniques
-
Resilient Infrastructures (U)(U) Objective: Develop novel protocols and algorithms to increase the repertoire of resiliency mechanisms available to the architecture
Cyber PSC PA-Releasable Briefing
November 2012 Page-66
* Code-level software resiliency* Develop novel language features, randomizing compilation techniques, and enhanced execution
environments
* Network overlays and virtualization* Expedite resilient protocol development using overlays from specification to deployment
* Develop network reconstitution techniques based on modular design and component virtualization
* Network management algorithms* Develop autonomous network management algorithms for scalable reconfiguration and self-healing
modeled after biological systems
* Mobile computing security* Develop protection models, mechanisms, and algorithms for mobile devices to ensure higher levels
of trust
* Distributed systems architectures and service application polymorphism* Develop methods for dynamic provisioning, reallocation, reconfiguration, and relocation of cyber
assets at both the system and application layers
* Network composition based on graph theory* Develop network technologies at the architectural level to enable near real-time reconfiguration
* Develop algorithms to enable sequenced network reconfiguration actions orchestrated across time
and space
* Distributed collaboration and social network theory* Develop collaborative tools to support near real-time distributed maneuver
* Realize social networks that incorporate coalition partners offensive and defensive capabilities
-
67
Cyber Problem statement = Poor State of IA & CND (where all IA/CND capabilities must also act as a SoS)
Its all about TRUST need a common enterprise trust model Some HAP/TSM is needed, but where to put which EAL devices?
Need a common top-down, enforced IA/Cyber capable architecture
Need an alternative to commercial ISP leverage existing dark fiber
Effective / secure enterprise access control is foundational: IA&A implementation focus = authorization based access control
complemented by ABAC, RBAC, even RAdAC as an end-state
If you dont control entry and exit, you control nothing; this applies to people, NPEs, software and data - foundation for mission assurance (MA)!
Proactive/Dynamic Defensive I&W Detect unusual patterns, characteristics, attributes, irregular requests.
Provide auto alerts; divert questionable actions; "wraps" issues/problems
This is the catch all capability, as we cant protect everything at 99%
Institutionalize Dynamic Cyber Enterprise Management
-
68
Reasons the Cyber Problem Exists(re: one perspective - SOA / automation security issues)
1. No top down common implementation IA guidance, with any useable level of details
2. SOA (and overall OA in general) approaches add governance and communications complexities within DOD / Federal spaces
3. Numerous SOA methods, approaches, schemas everyone has one we need just ONE
4. No unified set of security requirements exist that are traceable to a higher level, common IA core set (like IATF, GIG ICD, etc)
5. No Federal consensus on key security issues and barriers and gaps
6. Unclear (too many) authoritative sources, references, standards.
-
69
Reasons the Cyber Problem Exists (cont)(as one perspective - SOA / automation security issues)
7. IA covers virtually everything, so what should SOA prioritize?
8. IAW SysEngr principles, SOA must follow an EA & standards
9. No enterprise trust model, supporting distributed transitive trust or an effective model for secure enterprise cross domain access control
10. Few T&E / V&V thus C&A plans exist (this MUST be our DOD end-state)
11. Institutional blinders to the fact that network/internet computer cannot secure data; no electronic means to assess data leakage and data aggregation.
12. Policy immaturity, pre-dates SOA; hence the electronic security foundation is missing. Technology still forges ahead - tools are generations behind and built for other threats.
-
70
Common Architectural Flaws, exacerbate Cyber Security
Fragile Chain of Services
Large Real-time Overhead
Central Administration Mis-alignment with Practical Administrative boundaries
Lack of Support for multiple:
Access Control Models
No Concept of Risk or Domain Asymmetry or Support for Multiple Mission Vectors
Rigid Inheritance Model
Use of Hard-coded Rigid Monolithic Access Control Frameworks and Products
No Enterprise Concept of Domain Delegation or RAdAC
Lack of Appropriate Layering and Abstraction
-
71
Common Architectural Flaws (cont) Inability to Support Multiple and Legacy Models
Schema and Ontology often Incompatible Attributes do not Align Methods and Protocols Differ Technology and the Embedded Dependencies Differ Use of Hard-coded Rigid Monolithic Access Control
Frameworks and Products
Difficult or Inflexible Integration Paths Lack of Trustworthiness No Support for Unanticipated Users Transformations Limited Lack of Flexible Rapid Application Development and Modeling
Tools with IA Built in to the Framework Lack of Fidelity or Even Use of Modeling to Test Performance
at Scale
-
72
Cyber - Begin with the end in mindIts clearly important to understand the desired end result, instantiation of your
vision - having the image of the vision as your frame of reference to evaluate
everything else.
It is also impossible to integrate capability without having a plan and the
correct systems in place to run the business.
Vision execution has to do with the "purposes" of capabilities, that have to do
with visualization and complete planning! Bundled within personal and
business: (a) leadership (what), (b) management (how), and (c) productivity
(doing it well)
You can take the concept further by questioning the vision itself!
Challenge assumptions, barriers, limitations, and obstacles(the five whys?)
Always apply critical thinking (reflective skepticism) to the vision, as that
brings New Ideas Fosters Teamwork Promotes Options Uncovers
Spinoffs simulates a Clear Head and fresh Perspectives emerge.
If you dont know where you are headed,
Seemingly blind alleys wont cut it either / waste $$$
-
73
Cyber - Drive out complexity - KISSComplexity leads to variation in practice, opportunities for data /
operational errors, and increased risk of mission failure.
Reducing complexity is key to improving both risk posture and productivity.
Human engineering and complexity theory teach that WE ALL need to smartly, collaboratively:
- Simplify - Standardize - Automate - Integrate
Reducing complexity is a major competitive factor for ensuring supply chain performance and
exceeding customer expectations.
Given an increasing share of work is outsourced, the challenge of handling complexity has
become all the more demanding.
Companies that do not master complexity risk experiencing supply chain inefficiencies,
resulting in non-competitive working capital structures, lower transparency of cost drivers and
difficulties in achieving service levels.
Address complexity in product, processes and organization.. and DATA
Use existing initiative to simplify both objectives and processes:
Just-In-Time Standardization Strategic Outsourcing. Supply-
chain management Target costing Performance Measures....
Take the "zero-baseline" approach to complexity
-
74
Cyber - Maximize investments / ROIA strategic approach to maintenance and effectively using key performance indicators,
organizations can better maximize resources, reduce capital and operating costs, and
increase their return on investment (ROI). Its all about managing risk, from a high
performance organization - HPO operating perspective.
The critical elements of successful project value ROI analysis:
Always starting with business goals and challenges versus technology.
ROI analysis should be completed both for the past and the future.
Business goals can not be achieved through technology alone.
Project benefits cannot always be completely or accurately quantified,
intangible elements have value too.
There are many kinds of project costs in evaluations.
Analyzing your entire technology project portfolio.
Monitor critical business success metrics and re-evaluating your project
alignment process.
Four ROI pillars: (1) strong foundation / operating plan, (2) defined enterprise
effectiveness, (3) business enablement and (4) optimization / differentiation.
Cyber ROI is misleading - as its more insurance than investment
-
75
COTS / buy versus build(ALWAYS try to drive everything to a commodity state!)
MUST balance the business needs, shot-term and long-term goals, key
requirements and available technologies and solutions on the market.
The company and key stakeholders must always consider and analyze all the
options for each project and solution: Speed of implementation for a COTS vs. custom solution
Cost of implementation of a COTS vs. custom build
Functionality, flexibility and scalability in a COTS vs. custom build
Support for COTS VS. custom build
Organizational best practices, current technology and skill sets of employees
Potential for upgrading, modification and replacement of COTS vs. build
Key elements in the process:
1. Properly analyze any COTS systems for suitability the capability requirements
and a technical perspective concurrent engineering applies even more here
2. Beware the COTS sales pitch / trap to fall into is being promised functionality that
isn't in the COTS at present but they will add for you.
3. Check for unit tests in the COTS and also what development practices they use,
be wary if the vendor isn't giving much info about technical aspects. Is the source
code is available and have your programmers assessed it?
Ultimately, If it's a critical business function then do it yourself, no matter what
BUT, with IA/Security/Cyber capabilities only use APLs/VPLs
-
CNCI
76
Comprehensive National Cybersecurity Initiative (CNCI). This initiative was launched by the second President Bush in
National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 back in January 2008.
there are 12 mutually-reinforcing initiatives that are intended to establish a front line of defense against todays immediate
threats, to defend against the full spectrum of threats, and to strengthen the future cybersecurity environment.
INITIATIVE #1 -- Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
This is about consolidating our external access points and creating common security solutions across agencies.
INITIATIVE #2 -- Deploy an intrusion detection system of sensors across the Federal enterprise. This is a passive system
that watches traffic and helps notify us about unauthorized network intrusions. DHS is deploying signature-based sensors as
part of the EINSTEIN-2 (PDF) capability, with notification going to US-CERT.
INITIATIVE #3 -- Pursue deployment of intrusion prevention systems across the Federal enterprise. This takes it up a notch
with EINSTEIN-3 (PDF) and not only detects intrusions, but actively prevents intrusions into federal systems. This will have
serious zero-day and real-time counter-threat capabilities.
INITIATIVE #4 -- Coordinate and redirect research and development (R&D) efforts. This initiative serves to help us get all of
our R&D efforts working together, with a better communications and tasking infrastructure. It's an important part of utilizing
our resources and our smartest people to the best of their abilities.
INITIATIVE #5 -- Connect current cyber ops centers to enhance situational awareness. This is our key threat-data sharing
initiative.
The National Cybersecurity Center (NCSC) within Homeland Security is helping secure U.S. Government networks and
systems under this initiative by coordinating and integrating information from the various centers to provide cross-domain
situational awareness, analysis, and reporting on the status of our networks. As a side-effect, it's also designed to help our
various agencies play better with each other.
INITIATIVE #6 -- Develop and implement a government-wide cyber counterintelligence (CI) plan. We're now coordinating
activities across all Federal Agencies so we can detect, deter, and mitigate foreign-sponsored cyber intelligence threats to
government and private-sector IT.
-
CNCI
77
INITIATIVE #7 -- Increase the security of our classified networks. Our classified networks contain our most valuable and most
secret defense and warfighting information. We're continuing to work hard in securing these networks against the changing
threat model.
INITIATIVE #8 -- Expand cyber education. This is where the Comprehensive National Cybersecurity Initiative begins to break
down, because it's where all modern cyberdefense breaks down -- the people. We're training more and more cyberdefense
experts, but we also need to expand that education up and down government, to corporations, and to individuals.
We can have the very best-trained cyberdefense expert in a corporation, say, and it'll all break down if the CEO won't allocate
the time or funds to conduct that defense. It's all about making everyone know just how real these threats are.
INITIATIVE #9 -- Define and develop enduring "leap-ahead" technology, strategies, and programs. We'll talk more about future
directions later, but the idea of leap-ahead is to get 5 to 10 years ahead of the bad guys and explore out-of-the-box thinking in
building a better cyberdefense. This is good stuff, and it's the first CNCI initiative that, essentially, opens the door to concepts
like Stuxnet (or what The Times claimed the White House called "Olympic Games").